Companies say redacting personally identifiable information of users is possible, but it wouldn’t be required under CISPA.

On Thursday, the House of Representatives Select Committee on Intelligence held a hearing on CISPA, the newly introduced “cybersecurity” legislation that would allow companies to pass sensitive user data directly to the government without a judge’s oversight. No members of the civil liberties community were invited to testify. But while Internet freedom advocates were barred from voicing our concerns at the hearing, there was one important fact brought to light during the testimony of industry representatives: experts from the financial industry and the business roundtable confirmed that it’s possible for them to remove data that identifies users from cybersecurity data before sharing it with the government.

EFF and other civil liberties groups have long said that a smart cybersecurity bill wouldn’t give companies blanket permission to share any and all data with the government. At the hearing, experts from fields of business and finance went on record to agree with us that this is possible: companies are able to strip out personally identifiable information of users.

In the hearing, Representative Adam Schiff (D-CA) questioned former Governor John Engler, President of the Business Roundtable, and Paul Smocer, President of BITS, the technology policy division of the financial industry group called the Financial Services Roundtable. Schiff began by quizzing Engler on whether it was “too much of a burden” for companies to take reasonable steps to remove personally identifiable information from cybersecurity threat data shared with the government:

Schiff: Americans are concerned with the amount of personal information that the government is getting already without adding to it. Is it too much of a burden to ask the private sector to take reasonable steps where reasonable steps can be taken?

Schiff: We just want industry to do what you're asking your daughters to do.

Engler: Exactly.

Schiff then repeated his question, and specifically asked whether the experts testifying believed that companies would find it so burdensome to remove personally identifiable information that they might not even participate in the program.

Schiff: Let me ask it another way. Do you think that the private industry would decide to opt-out of getting classified information about attacks on their own systems because it were required to take reasonable steps to protect the privacy of the American people? You think any companies would say "Well, if I have to take reasonable steps to minimize personal information I'm giving the government I just won't participate?"

Engler: I'll let the companies respond to that. I don't think so.

Smocer: I would also say I don't think that would be the case. I mean, I think—again I go back to the core issue that there is very little private data, PII, being exchanged today in the threat information world. So I don't think it's a big issue to begin with. I think working through, as the Governor [Engler] said, the implementation of specifics will be key, but I think to answer your question I don't think it would be an issue to make sure we're doing it the right way.

Like the experts who testified in Congress, EFF sees no reason that companies couldn’t ensure that personally identifiable information of users was not part of the information provided to the government. But as CISPA is currently drafted, companies wouldn’t be required to ensure that identifiable user data was stripped out. Under the current proposal, “cybersecurity threat information” may be sent directly from companies to the government. Companies are under no requirement to strip out personally identifiable information of users before sending it along, and there are broad immunities granted to companies who share more data than is necessary to communicate a cybersecurity threat.

The companies may include restrictions on further sharing of data, including “appropriate anonymization or minimization of such information.” But the government can ignore these restrictions, since the bill provides no liability for violating this provision.

The only would-be privacy protection for stripping out personally identifiable information is a mere suggestion for the federal government: under the bill, the federal government “may…undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information.” This wording is extremely important: the government “may” do this, but isn’t actually required to do this by law.

Right now, the United States has an elaborate body of laws governing how personally identifiable information flows to the government—including industry-specific laws around utilities companies, communications laws like the Stored Communications Act and the Wiretap Act, and video privacy laws like the Cable Privacy Act and the Video Privacy Protection Act. But CISPA as drafted would sidestep all of these laws, allowing companies to share information for “cybersecurity” purposes without requiring them to strip out personally identifiable information of users.

Please join EFF in opposing CISPA by sending an email to Congress now. Blanket permissions for companies to share unredacted user data with the government without a warrant is unnecessary and dangerous, and it’s not the right solution for America’s cybersecurity concerns.

Related Updates

There is very little doubt that Equifax’s negligent security practices were a major contributing factor in the massive breach of 145.5-million Americans’ most sensitive information. In the wake of the breach, EFF has spent a lot of time thinking through how to ensure that such a catastrophic breach doesn’t happen...

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic...

The White House endorsed the bill even before it passed the Senate, so it was no surprise that the president signed the must-pass federal budget bill to which the House of Representatives added CISA in December. And while the White House previously identified the need for...

Privacy advocates expressed dismay with this latest version of the legislation, particularly the opaque way in which a small group of lawmakers drafted the final version of the measure and then incorporated it into a colossal spending bill. "Such key legislation should not be sandwiched into the omnibus or a...

Today, House leadership released text of the 2016 "Omnibus package." The legislative package is supposed to deal exclusively with funding the federal government through 2016; however, leadership also managed to include a dangerous cybersecurity "information sharing" bill. The cybersecurity bill is a combination of three bad cybersecurity bills...

Update: The final text of CISA is being negotiated right now. Take action here.
CISA passed out of the Senate by a disappointing vote of 74-21 last week. The bill has already passed out of the House, and now it goes to a conference committee to work...

IF THE ZOMBIE HORROR GENRE teaches us anything, it is never to celebrate too soon. Beware the hubris of a character who walks from the graveyard victorious, failing to anticipate an undead hand pushing up through the soil. And so it was with defeat of the Cyber Intelligence Sharing...

Tonight’s Rumble discusses Paul Ryan becoming the next speaker, John Kasich’s lashing out at his rival candidates, and whether Trump is done. Thom talks about the Senate’s passing of the Cybersecurity Information Sharing Act (CISA) with the Electronic Freedom Frontier’s Nadia Kayyali, and in tonight’s Daily Take Thom discusses the...